The customer information your organization collects and analyzes can give you incredibly detailed and useful insights. But for all the advantages this storehouse of data can bring, it can also bring significant risks.

Anytime you collect information about your customers, you run the risk of exposing personally identifiable information. That can not only raise your customers' ire, but may cause your organization to run afoul of security breach laws.

How can you protect your organization? Is it enough to have a well-written privacy policy — and try to follow the rules?

Not So Simple

In short, no, said Lizzie Komar, associate analyst at AdExchanger Research and author the new white paper Define PII Today to Prepare for the Privacy Demands of the Future (fee charged). “Privacy needs to be viewed as a critical component of your product offering, a core value within your internal culture (extolled by all, not just the CPO), and a communicated part of your external image,” she said.

You also have to have practices in place to support Personally Identifiable Information or PII.

But before you decide how you’re going to handle and protect PII at your organization, you have to understand what it is.

Traditionally, PII is defined as information, such as a consumer’s name and home address, credit or debit card numbers or other critical data, such as driver's license numbers, bank account numbers or social security numbers and email address.

But marketers may not always define PII broadly enough. It also includes things like

  • Birth dates
  • Mother’s maiden name
  • Tax or employee ID numbers
  • IP addresses

When it doubt, err on the side of caution, the paper suggests. 

Create a plan for success

Some other tips for managing PII:

Set yourself apart. Let your customers know your company is privacy friendly and ask their permission to use information regularly, says the white paper. Also establish clear privacy practices and make sure consumers understand them.

Focus on privacy from the top down. “For members of the C-suite, an outspoken commitment to privacy is essential,” said Komar. “Communicate with your employees how critical an issue privacy is through intra-company correspondences, educational programming, and by enforcing privacy by design principles and processes."

Learn from the mistakes of others. Read up on privacy risks and know what’s going on in the industry. “Stay abreast of industry best practices and newsworthy privacy wins or failures,” said Komar. Don’t fall victim to the same type of breach that hit another company last month.

Know the risks. “These days it seems we don’t go a week without a news story about the misappropriation of consumer data or a damaging security breach,” said Komar. “For companies that aren’t transparent with their customers about what data they’re collecting and why they’re collecting it, this type of coverage is not good.”

Every breach makes customers more wary—which is bad news for everyone, and may ultimately cost you your business. Consumers have choices, said Komar. “Less established companies or services on which consumers don’t heavily rely will feel pain the most – one privacy misstep could wipe them out entirely,” she says. “Thus it’s in all companies’ best interest to develop a plan for transparency and communication when it comes to consumer data, and to take privacy self-regulation very seriously.”